2

Here are some lines from logwatch:

pam_unix

sshd:   Authentication Failures:
     root (211.167.103.115): 5 Time(s)
     unknown (219.239.110.139): 1 Time(s)   Invalid Users:
     Unknown Account: 1 Time(s) 

su:   Sessions Opened:
     root -> nobody: 3 Time(s)

Now, taken alone I would assume that the su entries are just some timed escalation of privileges (or descalation, as the case may be), but in conjunction with the standard attempts at root password cracking, they're more unsettling. Should I be concerned about security holes due to either of these sets of notice/logwatch entries?

Kzqai
  • 1,278
  • 4
  • 18
  • 32

1 Answers1

4

You should not be concerned about "authentication failures" for root - there are myriads of malware and scriptkiddies tools trying root passwords on every host they can reach. As long as you do not allow direct root logins and / or have a sufficiently complex non-dictionary root password, this is nothing to worry about.

The root -> nobody sessions are indeed dropped priveleges - something that starts as root and changes the security context to the unpriveleged "nobody" user - which is good security practice.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Ok, just wanted to make sure. Just a little bit of a follow up question, even in the cases where root login is disabled (my intent and the way that I have configured ssh, as well as denyhost), do those authentication failure messages still occur? – Kzqai May 20 '11 at 15:59
  • OpenSSHd just logs an "invalid user root" login attempt, not an "authentication failure" as it does with an incorrect password – the-wabbit May 20 '11 at 16:03
  • `root -> nobody` comes from crons. – Lekensteyn May 20 '11 at 16:21
  • Hmmm, okay, so that may be indicative of the configuration still allowing attempts on the root account's password, good to know. – Kzqai May 20 '11 at 19:52